Created
July 18, 2018 17:27
-
-
Save arjabbar/07c38f68c5d497603e886f825def219c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| service: wbh-gatekeeper | |
| plugins: | |
| - serverless-offline | |
| - serverless-plugin-typescript | |
| - serverless-pseudo-parameters | |
| provider: | |
| name: aws | |
| runtime: nodejs6.10 | |
| stage: dev | |
| custom: | |
| apiEndpoint: ${opt:stage, self:provider.stage}.internal.api.wbh.cubyard.com | |
| functions: | |
| hello: | |
| handler: handler.hello | |
| events: | |
| - http: | |
| path: hello | |
| method: GET | |
| resources: | |
| Resources: | |
| APIGatewayClientCertificate: | |
| Type: AWS::ApiGateway::ClientCertificate | |
| Properties: | |
| Description: "The client certificate for stage ${opt:stage, self:provider.stage}" | |
| APIGatewayDomainCertificate: | |
| Type: AWS::CertificateManager::Certificate | |
| Properties: | |
| DomainName: "*.api.wbh.cubyard.com" | |
| SubjectAlternativeNames: | |
| - api.wbh.cubyard.com | |
| Tags: | |
| - | |
| Key: Name | |
| Value: "WBH API Cert" | |
| APIGatewayBasePathMapping: | |
| Type: AWS::ApiGateway::BasePathMapping | |
| Properties: | |
| BasePath: '' | |
| Stage: ${opt:stage, self:provider.stage} | |
| DomainName: | |
| Ref: APIGatewayDomainName | |
| RestApiId: | |
| Ref: ApiGatewayRestApi | |
| APIGatewayDomainName: | |
| Type: AWS::ApiGateway::DomainName | |
| Properties: | |
| CertificateArn: | |
| Ref: APIGatewayDomainCertificate | |
| DomainName: ${opt:stage, self:provider.stage}.api.wbh.cubyard.com | |
| ProxyResource: | |
| Type: AWS::ApiGateway::Resource | |
| Properties: | |
| ParentId: | |
| Fn::GetAtt: | |
| - ApiGatewayRestApi # our default Rest API logical ID | |
| - RootResourceId | |
| PathPart: '{proxy+}' # the endpoint in your API that is set as proxy | |
| RestApiId: | |
| Ref: ApiGatewayRestApi | |
| ProxyMethodAuthorizer: | |
| Type: AWS::ApiGateway::Authorizer | |
| Properties: | |
| RestApiId: | |
| Ref: ApiGatewayRestApi | |
| IdentitySource: method.request.header.Token | |
| Type: COGNITO_USER_POOLS | |
| Name: WBHCognitoUserPoolAuthorizer_${opt:stage, self:provider.stage} | |
| ProviderARNs: | |
| - Fn::GetAtt: | |
| - CognitoUserPool | |
| - Arn | |
| ProxyMethod: | |
| Type: AWS::ApiGateway::Method | |
| Properties: | |
| ResourceId: | |
| Ref: ProxyResource | |
| RestApiId: | |
| Ref: ApiGatewayRestApi | |
| HttpMethod: ANY # the method of your proxy. Is it GET or POST or ... ? | |
| AuthorizationType: COGNITO_USER_POOLS | |
| AuthorizerId: | |
| Ref: ProxyMethodAuthorizer | |
| RequestParameters: | |
| method.request.path.proxy: true | |
| Integration: | |
| IntegrationHttpMethod: ANY | |
| Type: HTTP_PROXY | |
| Uri: https://${self:custom.apiEndpoint}/{proxy} # the URL you want to set a proxy to | |
| RequestParameters: | |
| integration.request.path.proxy: method.request.path.proxy | |
| integration.request.header.Accept-Encoding: "'identity'" | |
| OptionsMethod: | |
| Type: AWS::ApiGateway::Method | |
| Properties: | |
| AuthorizationType: NONE | |
| RestApiId: | |
| Ref: ApiGatewayRestApi | |
| ResourceId: | |
| Ref: ProxyResource | |
| HttpMethod: OPTIONS | |
| Integration: | |
| IntegrationResponses: | |
| - StatusCode: 200 | |
| ResponseParameters: | |
| method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,Token'" | |
| method.response.header.Access-Control-Allow-Methods: "'GET,POST,HEAD,DELETE,OPTIONS'" | |
| method.response.header.Access-Control-Allow-Origin: "'*'" | |
| ResponseTemplates: | |
| application/json: '' | |
| PassthroughBehavior: WHEN_NO_MATCH | |
| RequestTemplates: | |
| application/json: '{"statusCode": 200}' | |
| Type: MOCK | |
| MethodResponses: | |
| - StatusCode: 200 | |
| ResponseModels: | |
| application/json: 'Empty' | |
| ResponseParameters: | |
| method.response.header.Access-Control-Allow-Headers: false | |
| method.response.header.Access-Control-Allow-Methods: false | |
| method.response.header.Access-Control-Allow-Origin: false | |
| CognitoIdentityPool: | |
| Type: AWS::Cognito::IdentityPool | |
| Properties: | |
| IdentityPoolName: WBHIdentityPool_${opt:stage, self:provider.stage} | |
| AllowUnauthenticatedIdentities: false | |
| CognitoIdentityProviders: | |
| - ClientId: | |
| Ref: CognitoUserPoolClient | |
| ProviderName: | |
| Fn::GetAtt: | |
| - CognitoUserPool | |
| - ProviderName | |
| CognitoUserPool: | |
| Type: AWS::Cognito::UserPool | |
| Properties: | |
| UserPoolName: WBHUserPool_${opt:stage, self:provider.stage} | |
| CognitoUserPoolClient: | |
| Type: AWS::Cognito::UserPoolClient | |
| Properties: | |
| ClientName: MobileUser | |
| UserPoolId: | |
| Ref: CognitoUserPool | |
| CognitoIdentityPoolRoleAttachment: | |
| Type: AWS::Cognito::IdentityPoolRoleAttachment | |
| Properties: | |
| IdentityPoolId: | |
| Ref: CognitoIdentityPool | |
| Roles: | |
| authenticated: | |
| Fn::GetAtt: | |
| - WBHAuthenticatedUsersRole | |
| - Arn | |
| unauthenticated: | |
| Fn::GetAtt: | |
| - WBHUnauthenticatedUsersRole | |
| - Arn | |
| WBHAuthenticatedUsersRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: WBHAuthenticatedUsersRole_${opt:stage, self:provider.stage} | |
| Policies: | |
| - PolicyName: AllowAPIInvocations | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Action: | |
| - "apigateway:*" | |
| Resource: | |
| "Fn::Join": | |
| - '' | |
| - | |
| - 'arn:aws:apigateway:' | |
| - Ref: 'AWS::Region' | |
| - '::/restapis/' | |
| - Ref: ApiGatewayRestApi | |
| - '/*' | |
| - Effect: "Allow" | |
| Action: | |
| - "cognito-sync:*" | |
| - "mobileanalytics:PutEvents" | |
| Resource: "*" | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Principal: | |
| Federated: | |
| - "cognito-identity.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRoleWithWebIdentity" | |
| Condition: | |
| StringEquals: | |
| cognito-identity.amazonaws.com:aud: | |
| Ref: CognitoIdentityPool | |
| ForAnyValue:StringLike: | |
| cognito-identity.amazonaws.com:amr: authenticated | |
| WBHUnauthenticatedUsersRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: WBHUnauthenticatedUsersRole_${opt:stage, self:provider.stage} | |
| Policies: | |
| - PolicyName: CognitoOnly | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Action: | |
| - "cognito-sync:*" | |
| - "mobileanalytics:PutEvents" | |
| Resource: "*" | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Principal: | |
| Federated: | |
| - "cognito-identity.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRoleWithWebIdentity" | |
| Condition: | |
| StringEquals: | |
| cognito-identity.amazonaws.com:aud: | |
| Ref: CognitoIdentityPool | |
| ForAnyValue:StringLike: | |
| cognito-identity.amazonaws.com:amr: unauthenticated |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment